Our worst hacking fears came true on Friday as criminals deployed millions of everyday objects — internet-connected cameras, printers and so on — to launch an attack on a critical part of the Internet. The attack was a success, crippling the websites of major companies like Amazon, Netflix and Twitter for hours at a time.
We now have a handle on what happened: hackers used publicly available source code to assemble a bot-net army of internet-enabled devices, and then directed those devices to send massive waves of junk requests to a DNS provider. The attack meant the provider, New Hampshire based Dyn, could not carry out its job of acting as a switchboard for the internet, and consumers could no longer reach popular websites.
The compromised devices, which make up the bot-net army, are still out there and unpatched, which means other attacks are likely on the way. This makes it a good time to ask who’s to blame for this debacle. We can start, of course, by fingering the hackers themselves, who appear to have unleashed the attack with profit motives in mind.
But we can also assign much of the blame to the companies whose sloppy security standards made the attack possible:
Wondering which IoT device types are part of the Mirai botnet causing trouble today? @briankrebs has the list: https://t.co/bETefDMa4Y
— Eric Skinner (@EricSkinner) October 22, 2016
https://twitter.com/mims/status/789628910728163328
A list of alleged culprits, compiled by security researcher Brian Krebs, include familiar names like Panasonic, Samsung and Xerox printers. The names also include lesser known makers of routers and cameras, which reportedly made up the bulk of the bot-net army.
It’s a good bet these companies are scrambling to update their product lines in a way that requires users to change the passwords (widespread use of default passwords are the main reason the devices got hacked in the first place). But it’s not fair to lay the entire blame squarely on the companies. Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in.
Finally, it’s time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well. No one think it’s acceptable for consumers to be clueless when they operate products like automobiles or propane tanks — so why is it okay for them to be careless with routers and security cameras?
On another note, there’s other security news this week, including a couple cool fin-tech features by Robert, which can read about below. Thanks as always for reading. And, for heaven’s sake, lock down your devices.
Jeff Roberts
@jeffjohnroberts
jeff.roberts@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Meet Coinbase 2.0. In 2012, Coinbase was one of the early cool kids of the bitcoin scene. Four years later, the company is barely mentioning bitcoin as it carries out a full pivot into a digital brokerage service for a wide range of money. (Fortune)
Facial recognition stops a Facebook burglar: Social media companies announced they have broken ties with a controversial company that scans their streams to identify faces for police departments. But it turns out Facebook has itself used the company to stop an intruder in CEO Mark Zuckerberg's office. (The Verge)
Ripple rocks it. Meanwhile, another fin-tech darling is riding high. Ripple announced a successful trial with 12 big banks that could lower settlement costs for cross-border currency transactions by 60 percent. (Fortune)
How Russia doxxed the DNC: Everyone not named Donald Trump is by now acknowledging that the hack of Democratic party emails was carried out by Russia. But just what did this entail? An Esquire feature reveals how the work was a years-long, meticulously planned operation. (Esquire)
I forgive you, Yahoo. How do customers react when you suffer the largest cyber-security breach in history? Apparently, they shrug. Yahoo said user numbers are about the same since the breach. Alas, it looks like the company's merger-mate won't be so forgiving — Verizon is making noises about bailing. (Fortune)
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Mmmm, blockchain. Robert has a fascinating look at how Wal-Mart and IBM are using fin-tech tools to track pork safety in China:
Walmart plans to use technology developed by the Hyperledger Project, an open source software project that builds blockchain tools and is based out of the Linux Foundation...
The blockchain in question, a private database co-developed by IBM, is designed to provide the retailer with a way to indelibly record a list of transactions indicating how meat has flowed through a commercial network, from producers to processors to distributors to grocers—and finally, to consumers. Read more on Fortune.com
FORTUNE RECON
97% of Java Apps Harbor a Known Security Hole by Robert Hackett
Microsoft Cloud Warrant Cases Move Closer to Supreme Court by Jeff John Roberts
This Badge Blocks Your Face in Social Media Photos by Maddie Farber
Half of US Adults' Faces Are Being Scanned by Law Enforcement by Jeff John Roberts
NSA Contractor Accused of Stealing Data Will Face Espionage Charges Fortune/Reuters
ONE MORE THING
If you want to hack a high profile target, spear-phishing is still the best bet. But just how do you carry it out? In the case of General Colin Powell and DNC Chair John Podesta, it was a plain old "Gmail" message. Here's an up close look at what not to click. (Motherboard)
